Litigation: Practical and legal considerations for online privacy policies

Using an online privacy policy to generate customer goodwill while providing full disclosure in compliance with state and federal law

Most companies with an online presence post a “privacy policy” on their websites that describes how the company obtains, manages, uses and discloses information regarding their customers (or users of the website), as well as describing any rights that customers have with respect to the company’s use of that information. When drafting privacy policies, companies typically seek to provide complete and detailed disclosures while rendering those disclosures in concise language to avoid the risk of customer confusion.

Drafting a privacy policy in language that customers can understand has become more essential as customers are increasingly interested in privacy-related issues. A 2012 survey by TRUSTe, a privacy management solutions provider, found that 94 percent of respondents thought privacy was an important issue, 60 percent of respondents were more concerned about online privacy than a year before and 35 percent of respondents stated that they have stopped doing business with a company over privacy concerns. Moreover, 85 percent of respondents who owned a smartphone say they wouldn’t download mobile applications that they don’t trust. Given this trend of increasing privacy-related concerns, many companies recognize that their online privacy policy can provide a means of building trust and goodwill with their customers.

Many states have enacted privacy laws, but one such law that has received significant press recently due to enforcement activities by the California attorney general is the California Online Privacy Protection Act (CalOPPA). CalOPPA governs “any commercial web sites or online services,” including mobile applications, “that collect personal information on California residents through a web site” and explicitly mandates the posting of a privacy policy that describes what personally identifiable information about customers is being collected and what will be done with that information. Although the scope of this article is limited to compliance with domestic laws, companies operating outside the U.S. also need to be aware of laws governing privacy policies enacted by other countries.

Beyond the issue of whether a privacy policy complies with legal requirements, companies should also be aware that making explicit representations in a privacy policy regarding how customer data will be used or maintained can create litigation and regulatory enforcement risks. Indeed, the FTC has launched investigations and filed complaints against companies that allegedly failed to abide by their own privacy policies.

Contributing Author

author image

Matthew Brown

Matthew D. Brown is a partner in Cooley LLP’s Litigation Department in San Francisco and a member of the firm’s Privacy, Commercial Class Action Litigation,...

Bio and more articles

Contributing Author

author image

Christopher Durbin

Christopher B. Durbin is a partner in Cooley LLP’s Litigation Department in Seattle and a member of the firm’s Commercial Class Action Litigation, Securities Litigation,...

Bio and more articles

Contributing Author

author image

Darcie Tilly

Darcie A. Tilly is an associate in Cooley LLP’s Litigation Department in San Diego and a member of the firm’s Commercial Class Action Litigation, Privacy,...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.